NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.

Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards, backdoors in networking hardware, backdoors in hard drives, compromised encryption standards, collection points on internet backbones, the cooperation of national security agencies around the world, stealth deployment of malicious spyware, the phone records of pretty much every American, access to major tech company data centers, an arsenal of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn't enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.

The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 - and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.

That was four years ago -- a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don't believe it. They'd just act like they do.

Unfortunately, legislators may be in a receptive mood. CISA -- CISPA rebranded -- is back on the table. The recent Sony hack, which caused millions of dollars of embarrassment, has gotten more than a few of them fired up about the oft-deployed term "cybersecurity." Most of those backing this legislation don't seem to have the slightest idea (or just don't care) how much collateral damage it will cause or the extent to which they're looking to expand government power.

The NSA knows, and it wants this bill to sail through unburdened by anything more than its requests for permission to fire.

The bill will do little to stop cyberattacks, but it will do a lot to give the NSA even more power to collect Americans’ communications from tech companies without any legal process whatsoever. The bill’s text was finally released a couple days ago, and, as EFF points out, tucked in the bill were the powers to do the exact type of “offensive” attacks for which Rogers is pining.

In the meantime, Section 215 languishes slightly, as Trevor Timm points out. But that's the least of the NSA's worries. It has tech companies openly opposing its "collect everything" approach. Apple and Google are both being villainized by security and law enforcement agencies for their encryption-by-default plans. More and more broad requests for user data are being challenged, and (eventually) some of the administration's minor surveillance tweaks will be implemented.

Section 215 may die. (Or it may keep on living even in death, thanks to some ambiguous language in the PATRIOT Act.) But I would imagine the bulk phone metadata is no longer a priority for the NSA. It has too many other programs that harvest more and face fewer challenges. The NSA wants to be a major cyberwar player, which is something that will only increase its questionable tactics and domestic surveillance efforts. If it gets its way via CISA, it will be able to make broader and deeper demands for information from tech companies. Under the guise of "information sharing," the NSA will collect more and share less. And what it does share will be buried under redactions, gag orders and chants of "national security." Its partnerships with tech companies will bear a greater resemblance to parasitic relationships than anything approaching equitable, especially when these companies will have this "sharing" foisted upon them by dangerously terrible legislation.

But until it reaches that point, the NSA will keep claiming it's under-equipped to handle the modern world. And it will continue to make the very dubious claim that the best defense is an unrestrained offense.

Any hackers that manage to carry out "cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof" would face the full life sentence, according to the serious crime bill proposed in Wednesday's Queen's speech.

As well as targeting cyberterrorists, the new offence in the proposed update to the Computer Misuse Act [CMA] 1990 would also hand harsher sentences to those hackers carrying out industrial espionage, believed to be a growing menace affecting UK business.

The law would have a maximum sentence of 14 years for attacks that create "a significant risk of severe economic or environmental damage or social disruption". Currently, the section of the CMA covering such an offence carries a 10-year sentence.

Much of this is the kind of activity carried out in the form of attacks sponsored by governments outside the UK -- or, as in the case of the NSA, directly by those governments. Despite the recent grandstanding by the US when it filed criminal charges against members of the Chinese military whom it accuses of espionage, there is little hope of ever persuading the main players to hand over their citizens for trial, so the new UK law will be largely ineffectual against the most serious threats.

But there is a real danger in the "or significant risk, thereof" part, since that gives the UK authorities huge scope to claim -- as they have in other contexts -- that some online action "risked" some terrible outcome, even though nothing actually happened. Things are made worse by the fact that there is no public interest defense or exemption for research. As the Guardian notes:

The government has also not addressed complaints over the application of current computer crime law, which some in the security industry claim actually makes the internet less safe.

This is because certain kinds of research could be deemed illegal. Experts known as penetration testers, who look for weaknesses in internet infrastructure, often carry out similar actions to real cybercriminals in their attempts to improve the security of the web, such as scanning for vulnerabilities.

But such research is punishable under British law, even if it is carried out for altruistic ends, leaving potential weaknesses unresolved, critics of the CMA said.

What this means is that while it will fail to tackle the most serious online attacks, and chill research into security flaws, the proposed Bill will conveniently allow the UK government to target groups like Anonymous who carry out high-profile but relatively harmless actions over the Net. This section of the proposed Bill is really about the UK government bolstering its already disproportionate powers to throttle online protests by characterizing them as "serious cyberattacks", and threatening to impose life sentences on anyone involved.

from the can't-make-this-stuff-up dept

Defense Secretary Chuck Hagel is heading to Beijing to talk with the Chinese government, and the message he's bringing to the Chinese is that (a) Americans don't do irony and (b) we're a bunch of lying hypocrites. I'm sure that will go over well. You may recall the recent revelations that the NSA (which is a part of the defense department) had hacked into Huawei -- a company that the US keeps insisting is likely used by the Chinese government to spy on people... even though it has no evidence at all to support that.

In what may be the most unintentionally hilarious article in the NY Times you'll read in a while, it discusses how Hagel and the US government are preaching openness, transparency and candor when it comes to state-level cyberattacks, sharing information on what the US is doing, and hoping that the Chinese will reciprocate. In fact, the Obama administration recently held a briefing for the Chinese government in which they discussed the US's "doctrine" for defending against cyberattacks:

The idea was to allay Chinese concerns about plans to more than triple the number of American cyberwarriors to 6,000 by the end of 2016, a force that will include new teams the Pentagon plans to deploy to each military combatant command around the world. But the hope was to prompt the Chinese to give Washington a similar briefing about the many People’s Liberation Army units that are believed to be behind the escalating attacks on American corporations and government networks.

So far, the Chinese have not reciprocated — a point Mr. Hagel plans to make in a speech at the P.L.A.’s National Defense University on Tuesday.

Note, of course, that they only discussed how the US defends against attacks, not their offensive capabilities, such as hacking into Huawei or introducing destructive malware like Stuxnet. Even so, Hagel's mantra seems to be that "transparency" is suddenly a good thing.

In Beijing, the defense secretary “is going to stress to the Chinese that we in the military are going to be as transparent as possible,” said Rear Adm. John Kirby, the Pentagon press secretary, “and we want the same openness and transparency and restraint from them.”

Of course, that's quite a different message from a year ago. As you may recall, just as the first Snowden documents were being released to the public, President Obama was scolding China for its cyberattacks. But, as the NY Times article notes:

“We clearly don’t occupy the moral high ground that we once thought we did,” said one senior administration official.

You think?

And, yet, it seems that making these hilarious claims of "openness" and "transparency" from an administration famous for its unprecedented secrecy has been drilled into Hagel's head for this trip to Beijing. Discussing a different issue -- an escalating dispute between China and Japan over some uninhabited islands -- Hagel again made a statement that reads like pure hypocrisy:

"The more transparent and open governments can be with each other, the better for everyone. That avoids miscalculation, misinterpretation, misunderstanding, and hopefully that lowers the risks of conflict."

While that statement is likely true, it seems fairly rich for the US to be out there preaching that message, while being one of the least transparent, least open US administrations ever. Last year, we wrote about how the Snowden and Manning stories basically stripped the US of its ability to hypocritically browbeat other countries, because those other countries had little to pushback on. As we noted, the way out of that was to stop being hypocritical and to actually practice openness and transparency. While, perhaps, you could argue that sharing a few details of our "cyberdefense" capabilities qualifies, that's a pretty hard sell. The US government still seems to hope that its own hypocrisies will be ignored while it preaches principles it comes nowhere close to living up to.

from the i-guess-they-would-know... dept

Nearly a year ago, well before all the Snowden leaks, we had a discussion about how, for all the talk from Keith Alexander about how the US was facing "unprecedented cyberattacks" that might bring about a "cyber Pearl Harbor," in reality, it appeared that the real global threat to computer systems was... the US government itself, via Keith Alexander's "US Cyber Command," which had, by far, the most sophisticated and advanced digital attack unit and wasn't afraid to use it. In fact, the US government seems to think it has incredibly broad powers to attack digitally. Of course, the nature of those attacks have become a lot more clear lately. And, as a part of that, one thing that's becoming clear: every time you hear a scary story about a kind of attack that some foreigners might do, you can pretty much guarantee: the NSA has already done it.

You may recall that, late in 2012, the House Intelligence Committee, led by dishonest NSA defender Rep. Mike Rogers, put out a report claiming that Americans should not use networking equipment made by Huawei, the Chinese networking giant, hinting that the company might be inserting backdoors and spyware into the equipment for the Chinese government. Huawei -- which had actually previously publicly asked the US government to investigate it to prove that such claims were false -- was not at all pleased about this, claiming that the whole thing was libelous and "utterly lacking in substance." A month ago, Huawei suggested that it was going to just ditch the US market because of all of this.

And yet... the recent NSA revelations about its technical capabilities to backdoor various hardware products showed that it's actually the NSA which has backdoors in Huawei's equipment. That doesn't foreclose the possibility that the Chinese have hacked it as well, but it sure looks ridiculous. As the Wired article linked above summarizes: "US to China: We hacked your internet gear we told you not to hack." This certainly plays into the hands of the Chinese, who have long argued that the attack on Huawei by Mike Rogers and friends was really just an attempt to pump up US-based competitors like Cisco (whose products the NSA has also apparently compromised).

And then there's the whole "BIOS" attack thing. You may recall that the big "scoop" in the hilariously lopsided60 Minutes infomercial for the NSA by John Miller (a counterterrorism official pretending to be a journalist), was that there was some scary foreign threat out there from another country that was going to "infect the BIOS" of every computer on earth and turn them all into bricks. Experts pointed out that the claims were pure gibberish.

Except in that same report about the NSA's technical capabilities came the news that it's the NSA that is installing malware in the BIOS. As Marcy Wheeler notes:

Most fearmongering claims the NSA makes may well be projection about its own activities.

None of this means that others (and the finger is usually pointed at the Chinese) aren't doing the same sorts of things themselves. But it sure does seem pretty hypocritical to go around fearmongering about the things that we, ourselves, are doing.

from the that-would-be-big dept

Matt Blaze has been pointing out that when you read the new White House intelligence task force report and its recommendations on how to reform the NSA and the wider intelligence community, that there may be hints to other excesses not yet revealed by the Snowden documents. Trevor Timm may have spotted a big one. In the recommendation concerning increasing security in online communications, the second sub-point sticks out like a sore thumb:

If you can't read that, it says:

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial system.

While there have been plenty of reports about the US running hundreds of offensive cyberattacks on others, outside of things like Stuxnet, not many have been directly identified. And I'm unaware of any claims suggesting attempts to "manipulate the financial system" of any particular country and/or to "change the amounts held in financial accounts." It seems a bit odd to come out of the blue like that, and certainly suggests that this particular bullet point likely came as a result of a rather specific thing that came up during the task force's review.

So, now we wait for the inevitable news of what sort of financial shenanigans the NSA was up to.

from the good-luck-with-that dept

And the attempts to tar and feather Ed Snowden continue. The latest is that famed reporter Kurt Eichenwald, who started attacking Ed Snowden months ago, has written up a long speculative article for Newsweek arguing that Ed Snowden has "escalated the cyber war" by giving China the necessary cover it needs to avoid reining in its own cyber attacks. There are a lot of words in the piece -- in usual Eichenwald fashion -- which just add flowery language around the basic point:

"Snowden changed the argument from one of 'The Chinese are doing this, it's intolerable' to 'Look, the U.S. government spies, so everybody spies,' '' says Richard Bejtlich, chief security officer at Mandiant, the firm that linked hacking intrusions in America to the Chinese military. "Of course the U.S. spies, but none of what the U.S. is doing is benefiting American business, and pretty much everything the Chinese are doing is benefiting Chinese businesses."

That is, if you follow the bizarre logic here, without Snowden, Eichenwald believes that the US would have somehow convinced the Chinese to stop their cyber attack program. And, now because of Snowden, the Chinese can ignore that effort, by pointing out that the US is doing a ton of online hacking too. This is ludicrous on multiple levels. First: the idea that China would actually back off of its online efforts is simply not based in reality. They're going to attack and they're gong to keep attacking. Second, there's the idea that it's Snowden's fault that China now has this excuse not to stop hacking. It wasn't Snowden who made the decision to have the NSA overreach in its operations. That's on the US government -- but in Eichenwald's mind (fed heavily by US intelligence community employees) -- the US government can do no wrong and its spying is "different" than Chinese activities, because it's for good reasons.

Of course, this is the same excuse that defenders of bad state behavior always use. In fact, it's the same excuse that the Chinese use for many of their own online activities -- such as the Great Firewall of China, which they don't see as censorship, but providing a better internet.

Again, nearly everything about that statement is ridiculous. He didn't "leave all of the documents in Hong Kong." He provided heavily encrypted versions to a very small number of journalists, and then got rid of the files himself. Eichenwald takes that to mean he "left" them in Hong Kong, based on nothing, and all of this apparently means that Snowden is working for the Chinese (even though he left China pretty quickly).

Of course, all of this is coming out even as more and more officials around the world, including in the US, are recognizing how important the Snowden leaks have been in showing the nature of how the NSA has gone way beyond what it's supposed to be doing. It really feels like Eichenwald's piece is just a last gasp effort by his friends in the intelligence community to try to tar and feather Snowden rather than take responsibility for their own activities.

from the who-do-they-think-they're-kidding dept

There are times you just shake your head and wonder who the NSA top officials think they're kidding with their statements. Take, for example, some recent comments from the NSA's number two guy in charge, Chris Inglis, the Deputy Director, who gave an interview to the BBC where he tried to paint the NSA as not being quite as bad as everyone says, but admitted that there could be more transparency. That's all the usual stuff, but the following tidbit caught my eye:

The job of the NSA, Mr Inglis said, was to exploit networks to collect intelligence in cyberspace and to defend certain networks - but not carry out destructive acts.

"NSA had a responsibility from way back, from our earliest days, to both break codes and make codes," he said. "We have a responsibility to do intelligence in a space we once called the telecommunications arena - now cyberspace - and the responsibility to make codes or to defend signals communications of interest.

"That's different than what most people conceive as offence or attack in this space."

That task of destructive cyber attack, if ordered, lies with the US military's rapidly expanding Cyber Command.

Except, as we've noted more than a few times, US Cyber Command is the NSA. It's run by Keith Alexander, the director of the NSA, and it's housed in the same place as the NSA. For all intents and purposes, US Cyber Command is the NSA, and Alexander has no problem at all swapping hats depending on what's most convenient. He regularly tries to talk about "protecting the network" when it suits him, ignoring that the same efforts he's looking at (greater access to corporate networks) would also make it much easier for the NSA and US Cyber Command to launch offensive attacks -- which Snowden's leaks proved the NSA did hundreds of times.

Pretending the two are different, and that the NSA only focuses on "breaking codes and making codes" is yet another bogus claim from an NSA official, adding to a very long list.

from the we-are-the-cybersecurity-threat dept

It's pretty typical for companies and governments hoping to "bury" important bad news to release it late on a Friday evening, hoping to miss the news cycle. If you're extra lucky, that Friday happens to come right before a long weekend, such as Labor Day. But, for the life of me, I can't figure out why a major news publication, like the Washington Post would break a big story on a Friday night before Labor Day weekend, pretty much guaranteeing that it doesn't get very much attention at all. Very bizarre -- but we figured we'd try to bring this story to you guys on Tuesday, back after the week is underway so the story doesn't get lost. The details: as suspected, the US is actually one of the leading proponents of offensive cyberattacks. This isn't a huge surprise, since they've more or less admitted to having "broad powers" but there have been questions both about the rules of engagement and just how often the US uses these capabilities.

Wonder no more. The Washington Post's Barton Gellman has the story from the black budget, showing 231 offensive cyber-operations in 2011, a number that likely went up quite a bit in 2012 (and again in 2013). For all the hype about "cybersecurity" threats from abroad, it still looks like the biggest cybersecurity threat out there is our own government. And, yes, everyone already knows about Stuxnet, and it sounds like most of these offensive efforts aren't nearly as ambitious, but there's still a lot going on.

Separately, the story confirms earlier reports that the US government is a huge purchaser of exploits from various hackers, choosing to exploit them, rather than use them to help protect our systems. For 2013, the feds budgeted $25.1 million for the "additional covert purchases of software vulnerabilities." But, that's really on a fraction of the number of exploits. The report notes that most vulnerabilities the NSA uses actually are designed at home.

Also those few hundred attacks appear to downplay the capabilities of the NSA (and the CIA) should they want to do more, because it sounds like they've hacked into a variety of networks and have zombie machines at the ready:

By the end of this year, GENIE is projected to control at least 85,000 implants in strategically chosen machines around the world. That is quadruple the number — 21,252 — available in 2008, according to the U.S. intelligence budget.

The NSA appears to be planning a rapid expansion of those numbers, which were limited until recently by the need for human operators to take remote control of compromised machines. Even with a staff of 1,870 people, GENIE made full use of only 8,448 of the 68,975 machines with active implants in 2011.

For GENIE’s next phase, according to an authoritative reference document, the NSA has brought online an automated system, code-named TURBINE, that is capable of managing “potentially millions of implants” for intelligence gathering “and active attack.”

While the fact that the NSA is doing all of this isn't a huge surprise and merely confirms earlier reports, the actual scale of the operations is certainly quite eye-opening.

from the whoa dept

Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it's public or patched -- in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn't clear at the time that some of these exploits were coming directly from the companies themselves.

The report names one major participant: Microsoft:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.

The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community -- in which the telcos willingly and voluntarily hand over massive amounts of user data. There's no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The article later notes that the big telcos -- AT&T, Verizon, Sprint, Level3 and CenturyLink -- have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn't make them liable for violating wiretapping laws.

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

Suddenly the "blanket immunity" clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.

from the but-of-course dept

Another day, another leak -- and once again, it's not much of a surprise, but rather a confirmation of what's long been suspected. This time, it's that President Obama has ordered the US to draw up a list of "targets" for proactive cyberattacks, as revealed (yet again) by Glenn Greenwald at the Guardian. This is a point we'd raised months ago. For all the talk of "cybersecurity" fears, it's the US that's been the biggest proponent of proactive cyberattacks.

The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) "can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging".

It says the government will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power".

The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.

Again, this shouldn't be a surprise if you're paying attention. Back in February, we noted that the White House had done an internal "legal review" and decided for itself that it had broad powers when it came to cyberattacks.

I'm guessing we're still going to be seeing a lot more big leaks in the near future....